000016852 - Installing TACACS+ software on Red Hat AS/ES 4 Linux for RSA Authentication Manager 7.1

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016852
Applies ToRed Hat AS/ES 4 Linux
TACACS
RSA Authentication Manager 7.1 SP2 or later
RSA SecurID Appliance 3.0 SP2 or later
 
IssueInstalling TACACS+ software on Red Hat AS/ES 4 Linux for RSA Authentication Manager 7.1
Resolution

Here are a set of instructions where a TACACS server can be built on a remote Red Hat Enterprise 4 Linux server, where this system itself needs to be an agent host in the RSA Authentication Manager database.


 



  

1.


  

  

Build a Red Hat AS/ES/4 Linux server (refer to Red Hat documentation on installing this software)


  

  

2.


  

  

Download and unpack the RSA Authentication Manager 7.1 Service Pack 2 full install kit (available from version upgrades in RSA SecurCare Online) onto a Windows computer


  

  

3.


  

  

Copy the contents of the windows-x86\tacplus\linux-x86 folder into a working folder on the Red Hat Enterprise 4 Linux server (e.g. /temp/tacplus)


  

  

4.


  

  

Create a 'tacacs+' installation folder on the Red Hat Enterprise 4 Linux server


  

e.g. mkdir /opt/tacplus


  

  

5.


  

  

Check the file permissions of the copied tacplus files.


  

e.g.


  

[root@redhat4u8 tacplus]# ls -l


  

total 1504


  

-rwx------  1 root root     161 Jan  6 12:59 copyright.txt


  

-rwxrwxr-x  1 root root   34116 Jan  6 12:59 tacplusinstall


  

-rwx------  1 root root    3322 Jan  6 12:59 tacplus_install_readme.txt


  

-rwxrwxr-x  1 root root 1486120 Jan  6 12:59 tacplus.tar.Z


  

-rwx------  1 root root      67 Jan  6 12:59 tacver.txt


  

[root@redhat4u8 tacplus]#


  

 


  

tacplusinstall and tacplus.tar.Z should have rwxrwxr-x (755) permissions


  

  

6.


  

  

Add the Red Hat Enterprise 4 Linux server as an agent host in the RSA Security Console of the primary


  

 


  

RSA Security Console > Access > Authentication Agents > Add New


  

-           under Authentication Agent Basics - add a Hostname, IP Address. Click Save


  

 


  

NOTE: the Hostname and IP address must be resolvable on the network


  

  

7.


  

  

Using the RSA Security Console of the primary, generate a configuration (sdconf.rec) file for the Red Hat Enterprise 4 Linux server (where the tacacs+ server will be installed)


  

 


  

RSA Security Console > Access > Authentication Agents > Generate Configuration File > click the Generate Config File button > click Download_Now button


  

 


  

AM_Config.zip contains the 'sdconf.rec' (configuration) file


  

  

8.


  

  

Copy the AM_Config.zip into the 'tacacs+' installation folder and then unpack AM_Config.zip.


  

  

9.


  

  

Navigate to the 'tacacs+' installation folder (e.g. /opt/tacplus) run the shell script to install the tacacs software


  

e.g./temp/tacplus/tacplusinstall


  

 


  

[root@redhat4u8 tacplus]# /software/tacplus/tacplusinstall


  

 


  

               Copyright 1994 - 2008 by RSA Security Inc.


  

                     RSA Authentication Manager 7.1


  

 


  

                       ---ALL RIGHTS RESERVED---


  

 


  

 


  

Specify the login name of the administrator who owns


  

the RSA Authentication Manager TACACS+ Service directories and files.


  

This administrator name must belong to a secure group


  

that will be allowed to access these directories.


  

 


  

Which administrator will own the RSA Authentication Manager TACACS+ Service files?


  

Enter owner and owner group using format 'owner:group': root:root


  

 


  

You have specified administrator 'root:root'. Is this correct: (y/n/q) [y]: y


  

 


  

You must specify a top level directory path where the RSA Authentication Manager TACACS+ Service


  

software should reside.


  

 


  

Enter the top level directory path: /opt/tacplus


  

 


  

You have specified '/opt/tacplus'. Is this correct? (y/n/q) [y]: y


  

 


  

Changing file group IDs...


  

 


  

Changing file ownerships...


  

 


  

Changing file permissions...


  

 


  

 


  

Installation of RSA Authentication Manager TACACS+ Service software


  

complete at Thu Jan  6 13:52:54 EST 2011.


  

 


  

[root@redhat4u8 tacplus]#


  

 


  

NOTE: if the Red Hat Enterprise 4 Linux server has RSA Authentication Manager installed it will abort the installation (shown below)


  

 


  

[root@redhat4u8 tacplus]# /software/tacplus/tacplusinstall


  

 


  

               Copyright 1994 - 2008 by RSA Security Inc.


  

                     RSA Authentication Manager 7.1


  

 


  

                       ---ALL RIGHTS RESERVED---


  

 


  

Setup detected existing installation of the RSA Authentication Manager


  

at the /opt/am61/ace/prog location.


  

Remove RSA Authentication Manager before installing


  

the RSA Authentication Manager TACACS+ Service.


  

 


  

Aborting 'tacplusinstall'...


  

 


  

'tacplusinstall' aborted.


  

 


  

[root@redhat4u8 tacplus]#


  

 


  

  

10.


  

  

Start the 'tacacs+' service using the tacplus shell script located in the /opt/tacplus/ace/prog folder


  

e.g.


  

[root@redhat4u8 prog]# ./tacplus start


  

               Copyright 1994 - 2008 by RSA Security Inc.


  

                     RSA Authentication Manager 7.1


  

 


  

                       ---ALL RIGHTS RESERVED---


  

Message: Starting RSA Authentication Manager TACACS+ Service.


  

Message: RSA Authentication Manager TACACS+ Service start operation completed


  

[root@redhat4u8 prog]#


  

 


  

  

11.


  

  

IMPORTANT NOTES:


  

 


  

There must be an agent host for each device sending TACACS+ authentications to the RSA Authentication Manager. Use the RSA Security Console with an administrative user to add an agent host.


  

 


  

The first authentication through the TACACS+ server will generate a node secret (a file called 'securid') located in the /opt/tacplus/ace/data folder. The real-time authentication activity monitor (available from the RSA Security Console) will report the node secret being generated.


  

  

 


  

  

 


  

  

 


  

  

Stopping the 'tacacs+' service using the tacplus shell script in the /opt/tacplus/ace/prog folder


  

e.g.


  

[root@redhat4u8 prog]# ./tacplus stop


  

               Copyright 1994 - 2008 by RSA Security Inc.


  

                     RSA Authentication Manager 7.1


  

 


  

                       ---ALL RIGHTS RESERVED---


  

Message: Stopping RSA Authentication Manager TACACS+ Service.


  

Message: RSA Authentication Manager TACACS+ Service stop operation completed


  

[root@redhat4u8 prog]#


  

  

 


  

  

Debugging the 'tacacs+' service


  

 


  

i)              Stop the 'tacacs+' service


  

ii)             Edit the sdtacplus.arg file located in the /opt/tacplus/ace/data folder


  

iii)            Locate the line '# -d16383' (this is usually line 81 of 122) and uncomment the line


  

iv)            Save the change in sdtacplus.arg


  

v)             Start the 'tacacs+' service


  

 


  

/var/tmp/tac_plus.log is the file where the debug data is written


  

  

 


  

  

Should you install the tacacs+ software onto an unsupported Red Hat Enterprise Linux server the administrator will get the following message and the installation will abort.


  

 


  

[root@redhat4u8 tacplus]# /tmp/tacplus/tacplusinstall


  

 


  

The version of your operating system is not supported.


  

Upgrade the OS and run 'tacplusinstall' again.


  

 


  

Aborting 'tacplusinstall'...


  

 


  

'tacplusinstall' aborted.


  

 


  

[root@redhat4u8 tacplus]#


  

 

WorkaroundUsing older routers and switches that can only use the TACACS protocol
 
Legacy Article IDa53474

Attachments

    Outcomes